Test and Trace Support Payment Privacy Notice
Who we are
Teignbridge District Council is registered with the Information Commissioner’s Office (ICO) as a ‘data controller’ under the Data Protection Act, entry Z5463710. We are a public authority and have a nominated Data Protection Officer who can be contacted on firstname.lastname@example.org.
On 28 September 2020, the Government passed into law a National Test and Trace Support scheme. From 12 October, a one-off payment of £500 or access to a discretionary fund will be available for eligible individuals.
If you apply, we will need to process your personal data to assess whether you are eligible to receive financial support, and if so, to provide a payment to you.
Teignbridge District Council is the ‘data controller’ for the purposes of assessing eligibility, administering and making payments under the Test and Trace Support scheme.
The Department of Health and Social Care has commissioned NHS Test and Trace on behalf of the government and is the ‘data controller’ for the purposes of providing Test and Trace data to Teignbridge District Council.
What are self-isolation payments?
If you have been told by the NHS to self-isolate, either because you have tested positive for Covid-19 or you have been in contact with someone who has tested positive, you may be entitled to some financial support during your self-isolation period.
People who are eligible will receive a £500 one-off test and trace support payment or provision from the discretionary fund to remain at home to help stop the spread of the virus.
What information do we collect about you?
We will collect, store and use the following categories of personal information about you:
- Personal contact details such as name, title and address for you (and your proxy where you nominate someone else to complete this application on your behalf)
- Identifying details, including date of birth and national insurance number
- Employer name and address
- NHS notification number (the unique reference you will be given by NHS Test and Trace Service to self-isolate)
- Bank account details
- Proof of self-employment, for example, recent business bank statement (within the last two months), most recent set of accounts or evidence of self-assessment
- Information about health and medical details.
We will also collect telephone numbers and email addresses so that we can contact you, or your proxy. If we hold a mobile number for you, or your proxy, we may send a text.
Where we get your information from
Information is collected from you as the service user through online web forms when completing your application for a self-isolation support payment or by recording of your telephone call if calling our main customer support centre (or our Council Tax, Business Rates and Benefit Service direct). This information will be collected either from you directly as the data subject, or from a representative acting on your behalf.
All of our online forms have their own privacy notice at the beginning before you enter any personal information. We recommend that you read the privacy notice before filling in the form.
We will obtain data from the NHS Test and Trace Service to confirm that you have either tested positive for Covid-19 or you have been in close contact with someone who has tested positive for Covid-19. As this data is related to your health it is referred to as ‘special category data’.
You or your nominated representative will also provide us with additional personal data in relation to your application for a self-isolation payment.
How your information will be used
In order to provide services to you, it is necessary for us to collect and hold personal information about you. This information will be processed by us to:
- process your request or enquiry
- contact you in case of a query or an issue concerning the service you have requested
- process and make decisions on applications you have sent us
- process financial transactions
- help investigate complaints or concerns you have raised about the service provided
- help detect and prevent fraud and corruption in the use of public funds and where necessary for law enforcement functions
- maintain our own accounts and records
- help us build up a picture of how we are performing
- provide statistical analysis
- help with research and planning new services
If you fail to provide certain information, we may not be able to provide the service you have requested.
You may face prosecution if you have manipulated or falsified your position in order to obtain these payments, including failure to self-isolate as requested by NHS Test and Trace and which puts others at risk. Any payment made as a result of fraud will be subject to recovery action, as well as any grants paid in error.
When you contact us requesting certain services, your personal information may be recorded in our Customer Relationship Management (CRM) system to ensure those services can be delivered.
Personal data revealed during a telephone call will be recorded to deliver appropriate services. Occasionally special category personal data may be recorded where you voluntarily disclose health, religious, ethnicity or criminal information to support your request for advice and / or services.
Please read our Customer Support Centre Privacy Notice for more information.
Lawful basis for processing data
The lawful basis for processing your personal data is on the basis of legal obligation and public task.
We need your consent so that we can access your records in the NHS Test and Trace system, known as Contact Tracing and Advice Service (CTAS), to confirm that you are eligible for the Test and Trace Support Payment scheme. You can find out more information on this through the NHS Test and Trace Privacy Notice.
You may withdraw your consent at any time by contacting us on email@example.com. Please be aware that if you withdraw your consent, you will no longer be entitled to the payments under this scheme.
We are allowed to process special category data where it is necessary for us to fulfil our legal obligations and regulatory requirements. In relation to health, this is under:
• GDPR Article 9(2)(i) – processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare
• Data Protection Act 2018 Schedule 1 Part 1 (2) – health or social care purposes
Separately, we have special permission from the Secretary of State for Health and Social Care to use confidential patient information without people’s consent for the purposes of diagnosing, recognising trends, controlling and preventing, and monitoring and managing communicable diseases and other risks to public health.
This is known as a ‘Section 251’ approval and includes using your test results if you test positive for Covid-19 to start the contact-tracing process. The part of the law that applies here is Section 251 of the National Health Service Act 2006 and Regulation 3 of the associated Health Service (Control of Patient Information) Regulations 2002.
Who we share your data with
We will carry out checks with the NHS Test and Trace Service and the Department for Work and Pensions (DWP) for verification purposes; Her Majesty’s Revenue and Customs (HMRC) for tax purposes; and with your employer to confirm your loss in income to validate your application.
Information relating to your application will also be sent to the Department of Health and Social Care to help understand public health implications, allow us to carry our anti-fraud checks and determine how well the scheme is performing.
We will provide information to HMRC about any payments we make because self-isolation payments are subject to tax. If you are self-employed, you will need to declare the payment on your self-assessment tax return.
We will not share this data with other organisations or individuals outside of the council for any other purpose unless we are required to do so by law or where it is appropriate to support our duty to protect public funds and / or detect and prevent fraud or other criminal activity or safeguarding requirements.
There may also be instances where our system suppliers will need to access individual’s personal information to ensure that information is being held securely and accuracy is maintained. This will be on a strict need to know basis and all contracts have confidentiality clauses built in.
Where we engage third parties to process personal data on our behalf, they do so on the basis of written instructions, are under a duty of confidentiality, and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
We will not transfer your information to countries outside the European Economic Area (EEA) unless this is necessary, and only to countries which have sufficient safeguards in place to protect information.
We will not share your information with third parties for commercial or marketing purposes.
How long do we keep hold of your information and is it secure?
We will only retain your personal information for as long as we are required to do so by law and the purpose we collected it for. The retention period is either dictated by law or by our discretion. Once your data is no longer needed it will be securely and confidentially destroyed.
Call recordings will be retained for thirty days after which they will be deleted and no longer retrievable. Customer records can be held on the Customer Relationship Management system (CRM) for up to six years.
We have implemented appropriate technological and operational security in order to safeguard your data from loss or misuse.
Automated decision making or profiling
No decision will be made about you solely on the basis of automated decision making (where a decision is taken about you using an electronic system without human involvement) which has a significant impact on you.
Changes in your circumstances
You must notify us immediately if there are any changes in your personal details so we can maintain an accurate and up to date record of your information.
Your rights and access to your information
You have rights under the data protection legislation:
- to access your personal data, known as a subject access request;
- to be provided with information about how your personal data is processed
- to have your personal data corrected;
- to have your personal data erased in certain circumstances;
- to object to or restrict how your personal data is processed;
- to have your personal data transferred to yourself or to another business in certain circumstances;
- you have the right to be told if we have made a mistake whilst processing your data and we will self-report breaches to the Information Commissioner.
Should you wish to exercise any of your rights, you should contact the Data Protection Officer firstname.lastname@example.org.
If you have any concerns
You have a right to complain to us if you think we have not complied with our obligation for handling your personal information by contacting the Data Protection Officer in the first instance.
If you are not satisfied with the council’s response you have a right to complain to the Information Commissioner Office:
Telephone: 0303 123 1113
Or use their online tool for reporting concerns